Speaking Up About Silent Cyber: Misconceptions About Cyber Insurance

OVERVIEW

Whether it’s a data breach, ransomware, or phishing emails, businesses are facing a constantly evolving range of cyber threats. And with cyber crime costing up to $600 billion a year – attacks such as last year’s NotPetya and WannaCry remind us that the digital world is moving into the physical world with business interruption, legal fees and even impacts to brand and reputation at stake.

Despite the growing threat, there are still widespread misconceptions about cyber risk – and how to cover it using insurance.

Recent headlines highlight possible confusion of what is covered by an organization’s portfolio of commercial insurance lines when a cyber event occurs. Stephanie Snyder, senior vice president and commercial strategy leader, Cyber Solutions at Aon, notes that the common misconception that “cyber insurance doesn’t pay” tends to reference insurance policies that are not actually cyber insurance policies.

As cyber risk becomes more ubiquitous, its definition – from cause through to coverage – could be open to debate. Increasingly, cyber risk, as it permeates our lives with credit card swipes and seemingly innocent clicks on emails, becomes a “silent” risk – one that is there but may not be understood until after a loss occurs.

IN DEPTH

Traditional commercial insurance policies – such as property and casualty and crime, kidnap and ransom – might not have been designed to explicitly address, either to include or exclude, cyber-related losses. If a policy does not affirmatively grant or exclude cyber coverage, this is termed “silent cyber” – and there’s no guarantee that it will actually cover a loss.

Neil Harrison, Aon’s global head of claims, notes the uptick in cyber-related claims over the past few years, including those that bring “silent cyber,” also dubbed “accidental cyber,” into play. This occurs when a cyber loss is covered that may not have been expressly underwritten into the policy. The result may be “clash claims,” where more than one policy responds to the same cause of loss – for example, the traditional property or casualty policy, as well as the cyber insurance policy. “As we’ve begun to see more claims with cyber as a cause for loss, the market is shifting to accommodate cyber, so it’s written for a purpose instead of an element of coverage in an existing policy,” said Harrison.

The Evolving Nature of Cyber Insurance Coverage

Among the threats businesses face from cyber attacks are financial losses or exposure of data through social engineering or “phishing” scams, physical damage to property resulting from cyber attacks, data breaches that expose customer information and – most impactful – business disruption. Businesses could be burned by relying on silent cyber coverage in their existing property and casualty portfolio, rather than seeking affirmative coverage grants for cyber loss or a standalone cyber insurance policy to cover such losses.

“When faced with a loss, businesses will seek indemnification anywhere it is available,” Snyder said. “If their policies have not been constructed to specifically address a breach-related loss, then there’s a chance that there may not be coverage.”

Relying on silent cyber coverage isn’t enough. “Businesses really have to understand the coverage they have and the coverage they need,” Snyder said.

For example, a cyber assessment and quantification analysis can review potential vulnerabilities as well as various cyber attack scenarios, modeling the potential financial impact of each tested instance. Coupled with a review of existing insurance coverages, understanding what vulnerabilities exist and the financial implications can better guide the cyber insurance purchasing decision. After a comprehensive review of coverages, cyber insurance can help fill gaps in an organization’s overall cyber protection program.

Insurers too, are playing a role. For example, modeling and scenario creation can help not only the insurance industry prepare for cyber-related losses but broader organizations as well. Jon Laux, Aon’s head of cyber analytics in the Reinsurance Solutions business states, “By using various scenarios, insurers have the ability to stress test their portfolios against new and emerging perils created by cyber risk. With that knowledge, insurers can take steps to mitigate risk, through reinsurance as well as working with businesses to increase their resilience.”

Recognizing there is no one-size-fits-all approach to cyber risk, organizations and insurers will continue to evolve how they think about the risk. From modeling and scenario creation all the way through to crafting better coverage, various stakeholders will continue to address the evolving risk concerns.

Disclaimer: All descriptions, summaries or highlights of coverage are for general informational purposes only and do not amend, alter or modify the actual terms or conditions of any insurance policy. Coverage is governed only by the terms and conditions of the relevant policy.